Re: Secureboot: how to use MOK

2019-11-08 Thread Florian Weimer
* Steve Langasek: >> and this is the reason we have to require all modules to be signed by >> default. > > Enforcement of kernel module signatures is part of what's called the > "lockdown" featureset. It is optional, and not a requirement from > the UEFI spec, The requirement is in the Microsoft

Re: Secureboot: how to use MOK

2019-11-07 Thread Steve Langasek
On Thu, Nov 07, 2019 at 03:04:16AM +0100, Ansgar wrote: > Steve Langasek writes: > > On Sun, Oct 27, 2019 at 10:45:49AM +0100, Florian Weimer wrote: > >> * Thomas Goirand: > >> I don't think secure boot provides any benefit at all if you store the > >> kernel module signing key on the same machine.

Re: Secureboot: how to use MOK

2019-11-06 Thread Ansgar
Steve Langasek writes: > On Sun, Oct 27, 2019 at 10:45:49AM +0100, Florian Weimer wrote: >> * Thomas Goirand: >> I don't think secure boot provides any benefit at all if you store the >> kernel module signing key on the same machine. > > Generate the MOK certificate with EKU 1.3.6.1.4.1.2312.16.1.2

Re: Secureboot: how to use MOK

2019-11-05 Thread Steve Langasek
On Sun, Oct 27, 2019 at 10:45:49AM +0100, Florian Weimer wrote: > * Thomas Goirand: > > I've setup my new laptop with secureboot, and now, I can't use the DKMS > > modules from Virtualbox, as they aren't signed. I've been told by Sledge > > that I should use MOK to do that, and that DKMS packages

Re: Secureboot: how to use MOK

2019-10-27 Thread Thomas Goirand
On 10/27/19 10:45 AM, Florian Weimer wrote: > * Thomas Goirand: > >> I've setup my new laptop with secureboot, and now, I can't use the DKMS >> modules from Virtualbox, as they aren't signed. I've been told by Sledge >> that I should use MOK to do that, and that DKMS packages are supposed to >> ha

Re: Secureboot: how to use MOK

2019-10-27 Thread Florian Weimer
* Thomas Goirand: > I've setup my new laptop with secureboot, and now, I can't use the DKMS > modules from Virtualbox, as they aren't signed. I've been told by Sledge > that I should use MOK to do that, and that DKMS packages are supposed to > have all in them to support MOK. I don't think secure

Re: Secureboot: how to use MOK

2019-10-27 Thread Thomas Goirand
On 10/25/19 4:52 PM, Thomas Goirand wrote: > Hi, > > I've setup my new laptop with secureboot, and now, I can't use the DKMS > modules from Virtualbox, as they aren't signed. I've been told by Sledge > that I should use MOK to do that, and that DKMS packages are supposed to > have all in them to s

Secureboot: how to use MOK

2019-10-25 Thread Thomas Goirand
Hi, I've setup my new laptop with secureboot, and now, I can't use the DKMS modules from Virtualbox, as they aren't signed. I've been told by Sledge that I should use MOK to do that, and that DKMS packages are supposed to have all in them to support MOK. So my question is: - where may I find a do